I have pushed a docker image in an ECR Repo in SourceAccount.
I have deployed a codepipeline in the SourceAccount.
When that codepipeline is run, it deploys ECS stack in TargetAccount. In that stack, ECS tasks are created with containers using the above said image from SourceAccount. However, those tasks remain pending and moved to stopped state ultimately. They show the following error:
Status reason CannotPullContainerError: Error response from daemon: pull access denied for <SourceAccountId>.dkr.ecr.<Region>.amazonaws.com/<RepoName>, repository does not exist or may require 'docker login'
Please advise how to pull images from SourceAccount ECR and create ECS tasks in TargetAccount.
Note:
1) When I push the same image in the ECR of TargetAccount, everything works fine. ECS tasks fail to run only when trying to pull images from another account.
2) The stack rolled back with the following error:
Service arn:aws:ecs:<Region>:<TargetAccount>:service/<ServiceName> did not stabilize.
I fixed it by adding the following policy to the ECR repo in SourceAccount:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<TargetAccount>:root"
},
"Action": "ecr:*"
}
]
}